Gerald (Jerry) Carter
2003-Apr-07 12:02 UTC
[Samba] [SECURITY] Samba 2.2.8a security available for download
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This release provides an important security fix outlined in the release notes that follow. This is the latest stable release of Samba and the version that all production Samba servers should be running for all current bug-fixes. The source code can be downloaded from : http://download.samba.org/samba/ftp/ in the file samba-2.2.8a.tar.gz or samba-2.2.8a.tar.bz2. Both archives have been signed using the Samba Distribution Key (available in the samba directory on the web server). Binary packages will be released shortly for major platforms and can be found at http://download.samba.org/samba/ftp/Binary_Packages/ As always, all bugs are our responsibility. --Sincerely The Samba Team **************************************** * IMPORTANT: Security bugfix for Samba * **************************************** Summary - ------- Digital Defense, Inc. has alerted the Samba Team to a serious vulnerability in all stable versions of Samba currently shipping. The Common Vulnerabilities and Exposures (CVE) project has assigned the ID CAN-2003-0201 to this defect. This vulnerability, if exploited correctly, leads to an anonymous user gaining root access on a Samba serving system. All versions of Samba up to and including Samba 2.2.8 are vulnerable. An active exploit of the bug has been reported in the wild. Alpha versions of Samba 3.0 and above are *NOT* vulnerable. Credit - ------ The Samba Team would like to thank Erik Parker and the team at Digital Defense, Inc. for their efforts spent in the responsible and timely reporting of this bug. Patch Availability - ------------------ The Samba 2.2.8a release contains only updates to address this security issue. A roll-up patch for release 2.2.7a and 2.0.10 addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained from http://www.samba.org/samba/ftp/patches/security/. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+kWjmIR7qMdg1EfYRAgJXAKCFXWq0lMKStlsIXBZohdqJQnzmQQCgnmgx S0bz5z81vQCQMkKFzENtXpU=1LJQ -----END PGP SIGNATURE-----
Gerald (Jerry) Carter
2003-Apr-07 12:46 UTC
[Samba] Re: [SECURITY] Samba 2.2.8a security available for download
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 7 Apr 2003, Gerald (Jerry) Carter wrote:> This release provides an important security fix outlined in the > release notes that follow. This is the latest stable release of > Samba and the version that all production Samba servers should be > running for all current bug-fixes. > > The source code can be downloaded from : > > http://download.samba.org/samba/ftp/ > > in the file samba-2.2.8a.tar.gz or samba-2.2.8a.tar.bz2. > Both archives have been signed using the Samba Distribution Key > (available in the samba directory on the web server).This is the announcement from Digital Defense that went out to BUGTRAQ this morning. http://www.digitaldefense.net/labs/advisories/DDI-1013.txt I will remind people that there is a published exploit for this bug so patching your servers should be top priority today. Our apologies for the past two security issues. cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+kXMlIR7qMdg1EfYRAq4cAKCens31U9NBqo+zW8GzmwlHs3G8eQCg8g7l KA+fvNYaHfukJ0sJGi94P4w=pY2g -----END PGP SIGNATURE-----
Nicki Messerschmidt, Linksystem Muenchen GmbH
2003-Apr-07 13:42 UTC
[Samba] Re: [SECURITY] Samba 2.2.8a security available for download
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gerald (Jerry) Carter wrote:> Binary packages will be released shortly for major platforms and > can be found at > > http://download.samba.org/samba/ftp/Binary_Packages/ > > As always, all bugs are our responsibility.Could you please try to fix your binary download area that it is possible to use apt to download the debian packages? I already described in a mail what has to be done... Thanks a lot and cheers Nicki - -- Linksystem Muenchen GmbH info@link-m.de Schloerstrasse 10 http://www.link-m.de 80634 Muenchen Tel. 089 / 890 518-0 We make the Net work. Fax 089 / 890 518-77 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> Comment: Keys at: https://www.link-m.de/pgp iQA/AwUBPpFyJ+s1nPm17iBDEQKU7wCg+r3e63gdlC/e0cksCJjYBoDKEvAAoNIQ 5P0reZYkJTqLmoTerSqC54SE =rRRJ -----END PGP SIGNATURE-----
Gerald (Jerry) Carter
2003-Apr-07 14:02 UTC
[Samba] Re: [SECURITY] Samba 2.2.8a security available for download
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 7 Apr 2003, Nicki Messerschmidt, Linksystem Muenchen GmbH wrote:> Could you please try to fix your binary download area that it is > possible to use apt to download the debian packages? I already described > in a mail what has to be done...Simo is maintaining the debian packages. Simo? cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+kYTiIR7qMdg1EfYRAhgHAJ0fuhsxqPxuaM3tNGM59EkvnkDeVgCgoFpa PPt7lagh38yc4nTjjpxC3I0=QoJB -----END PGP SIGNATURE-----
Herbert Lewis
2003-Apr-07 14:21 UTC
[Samba] Re: [SECURITY] Samba 2.2.8a security available for download
IRIX binaries have been uploaded to samba.org and will soon be available on the mirror sites. "Gerald (Jerry) Carter" wrote:> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > This release provides an important security fix outlined in the > release notes that follow. This is the latest stable release of > Samba and the version that all production Samba servers should be > running for all current bug-fixes. > > The source code can be downloaded from : > > http://download.samba.org/samba/ftp/ > > in the file samba-2.2.8a.tar.gz or samba-2.2.8a.tar.bz2. > Both archives have been signed using the Samba Distribution Key > (available in the samba directory on the web server). > > Binary packages will be released shortly for major platforms and > can be found at > > http://download.samba.org/samba/ftp/Binary_Packages/ > > As always, all bugs are our responsibility. > > --Sincerely > The Samba Team > > **************************************** > * IMPORTANT: Security bugfix for Samba * > **************************************** > > Summary > - ------- > > Digital Defense, Inc. has alerted the Samba Team to a serious > vulnerability in all stable versions of Samba currently shipping. > The Common Vulnerabilities and Exposures (CVE) project has assigned > the ID CAN-2003-0201 to this defect. > > This vulnerability, if exploited correctly, leads to an anonymous > user gaining root access on a Samba serving system. All versions > of Samba up to and including Samba 2.2.8 are vulnerable. An active > exploit of the bug has been reported in the wild. Alpha versions of > Samba 3.0 and above are *NOT* vulnerable. > > Credit > - ------ > > The Samba Team would like to thank Erik Parker and the team at > Digital Defense, Inc. for their efforts spent in the responsible > and timely reporting of this bug. > > Patch Availability > - ------------------ > > The Samba 2.2.8a release contains only updates to address this > security issue. A roll-up patch for release 2.2.7a and 2.0.10 > addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained > from http://www.samba.org/samba/ftp/patches/security/. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.0 (GNU/Linux) > Comment: For info see http://quantumlab.net/pine_privacy_guard/ > > iD8DBQE+kWjmIR7qMdg1EfYRAgJXAKCFXWq0lMKStlsIXBZohdqJQnzmQQCgnmgx > S0bz5z81vQCQMkKFzENtXpU> =1LJQ > -----END PGP SIGNATURE-----
Nicki Messerschmidt, Linksystem Muenchen GmbH
2003-Apr-07 16:40 UTC
[Samba] Re: [SECURITY] Samba 2.2.8a security available fordownload
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Morel wrote:> my mailer tells me your key is invalid ;-)Do you have the recent key? Or does your mail program modify my mail before it gets passed to gpg? Can anyone verify this statement? My mailer tells me that everything is fine... Cheers Nicki - -- Linksystem Muenchen GmbH info@link-m.de Schloerstrasse 10 http://www.link-m.de 80634 Muenchen Tel. 089 / 890 518-0 We make the Net work. Fax 089 / 890 518-77 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> Comment: Keys at: https://www.link-m.de/pgp iQA/AwUBPpGcBOs1nPm17iBDEQILJACfb+ivBfTifLPuGCvs5Ar7KIM2ncIAn0eE 5RCzcSzBiE36/k174h+sXLvO =izP2 -----END PGP SIGNATURE-----
Buchan Milne
2003-Apr-07 19:28 UTC
[Samba] Re: [SECURITY] Samba 2.2.8a security available for download
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gerald (Jerry) Carter wrote:> This release provides an important security fix outlined in the > release notes that follow. This is the latest stable release of > Samba and the version that all production Samba servers should be > running for all current bug-fixes. > > The source code can be downloaded from : > > http://download.samba.org/samba/ftp/ > > in the file samba-2.2.8a.tar.gz or samba-2.2.8a.tar.bz2. > Both archives have been signed using the Samba Distribution Key > (available in the samba directory on the web server). > > Binary packages will be released shortly for major platforms and > can be found at > > http://download.samba.org/samba/ftp/Binary_Packages/ > > As always, all bugs are our responsibility. >While the Mandrake Security Team has already issued updates to 2.2.7a for all supported releases, RPMS of 2.2.8a are being made available for Mandrake, including RPMS built with LDAP support (which are currently unsupported by Mandrake). At present, RPMS for 9.0 and 8.0 are available at http://ranger.dnsalias.com/mandrake/9.0/samba/ and http://ranger.dnsalias.com/mandrake/8.0/samba/ respectively. RPMS for 8.1, 8.2 and 9.0 are in progress and should be available within 12 hours, after which RPMS for all these releases will be updated on the samba FTP mirrors. urpmi can be used to update the RPMs, please see the instructions on http://ranger.dnsalias.com/mandrake/samba/, or once the RPMS are avialable on the mirrors, the README.txt (Of course, these packages are also unsupported by Mandrakesoft, and have only seen minimal testing on my production machines.) Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+kdFfrJK6UGDSBKcRAnY5AKDA/+UiGfoekSkJKZyAy48pp5mYjgCePtIx ogCStCwBYS9f7FOle6n+DjA=Crgn -----END PGP SIGNATURE-----
Christopher Odenbach
2003-Apr-08 11:43 UTC
[Samba] [SECURITY] Samba 2.2.8a security available for download
Hi,> The source code can be downloaded from : > > http://download.samba.org/samba/ftp/ > > in the file samba-2.2.8a.tar.gz or samba-2.2.8a.tar.bz2.there have been (at least) two small patches after 2.2.8, concerning - Solaris 8, SunCC, LDAP: solaris_ldapsam.patch (Jerry) - 2.2.1a / 2.2.2 bug is back in 2.2.8: smbd/close.c (Jeremy) Are these two Patches included in the new 2.2.8a Release, or do I have to patch it myself? Regards, Christopher -- ===================================================== Dipl.-Ing. Christopher Odenbach HNI Rechnerbetrieb odenbach@uni-paderborn.de Tel.: +49 5251 60 6215 ======================================================